The new malware – MysteryBot

This new malware strain is still under development. However, it’s discovered recently by security researchers from ThreatFabric who happened to run across this new threat.

Security researchers said that the new malware seems to be related with the well-known malware strain LokiBot – a well-known Android banking Trojan.

According to the researchers of ThreatFabric, their code analysis of the new malware strain strongly suggests that there’re clear links between these two. It also clearly suggests that MysteryBot is based on LokiBot code.

Recent report on the new malware strain shows that the MysteryBot also communicates with the same C&C server that LokiBot campaign used. This also suggests that both malware is the product of the same hacker(s) or group.

The reason behind the development of this new malware is unknown. However, it’s assumable that because the source code of LokiBot was leaked online, other cyber-criminal groups are already using the code. That’s why a new malware strain will more likely attract the underground market. However, according to the ThreatFabric security researchers, MysteryBot is not publicized in those forums as it’s still under development.

MysteryBot operable on Android 7 and 8

According to ThreatFabric, the new malware – MysteryBot is unique in many ways than other malware strains like LokiBot, Anubis II, CryEye, DiseaseBot etc.

For example, MysteryBot seems to be the first one that can reliably show “overlay screens” on Android 7 and 8. These overlay screens are efficient in stealing passwords on top of the legitimate apps. Because of security features, no malware ever succeeded in using a proper overlay screens on Android 7 (Nougat) and Android 8 (Oreo).

Now, MysteryBot is able to perfectly show the overlay screen on proper timing – when a user is using banking app. Thanks to the misuse of Android feature “Usage Access permission”, it indirectly leaks the information what app the user is currently using.

Other components

MysteryBot also comes up with other modules like the keylogger and a faulty ransomware module. Let’s talk about these two.

The keylogger is an advanced one – not available in the current Android market. Instead of taking screenshots what users are typing, this advanced keylogger directly captures the location of a touch gesture instead. Then, using the touch positions, the malware tries to guess the password string from the virtual keyboard. This module is still not active.

The faulty ransomware isn’t so well-coded. According to ThreatFabric, instead of encrypting files on the system, the module creates password-protected ZIP archives of those files. The password strength isn’t strong enough to protect the archives from brute-force attacks. Moreover, the passwords can easily be overwritten from the control panel when a new victim with the same ID syncs with the MysteryBot backend.

How to stay secured

There are lots of ways this malware can make into your phone. That’s why it’s strongly recommended that you don’t use apps from any unauthenticated sources, even from the Google Store. There are several apps in the wild that downloads several payloads from a server and if the dev wishes, the payloads are easy to swap with such powerful malware that can collect important information for them.

The post NEW! AIO Android Malware – MysteryBot appeared first on Linux Windows and android Tutorials.

According to security researchers from Trustlook, the Trojan is quite simple in design but uses an advanced method to hide from the system and other defenses.

How the Android Trojan works

The Trojan gains access to boot persistence and executes itself at every boot. At first, the malware unpacks the malicious code from the app’s resources. Then, it tries to modify a bash file at “/system/etc/install-recovery.sh”. If the modification is successful, it allows the malware to run at every boot.

Then, its task is to extract the data from the IM clients. The most popular ones are already mentioned above. The complete list of vulnerable IM clients can be found here. After collecting the information, the malware sends the data to a remote server. The server’s IP address is loaded from a pre-configured file.

This malware was identified inside a Chinese app named “Cloud Module” (in Chinese). The package was named “com.android.boxa”.

Evasion techniques

According to the researchers of Trustlook, despite simple workflow of the Android Trojan (running persistently, extracting info and uploading to remote server), it’s quite efficient in hiding itself. For example, it implements anti-emulator & debugger detection that allows avoiding dynamic analysis. Moreover, it hides strings inside its source code for protection against thwart lackadaisical code reversing.

The method of workflow tells that the attacker is collecting personal information (chat, images or videos) for using later in extortion attempts or blackmailing from the high-profile victims. Researchers didn’t share any information how the malware spreads itself. However, as there’s no Play Store in China, the culprits are most likely spreading the malware via 3^rd-party app stores and Android app forums.

There are also other attempts from Chinese vendors that shipped Android smartphones with built-in Trojan! Learn more about the pre-installed Trojan on the Android smartphones.

The post Android Trojan Steals Info from Messenger, Skype, Twitter & More appeared first on Linux Windows and android Tutorials.

FakeBank is regarded one of the most creative malware for its working method. It whitelists its process so that it can run even on sleep mode. Additionally, it installed TeamViewer to give full access to remote users. With its new variation, it can intercept phone calls and redirect them to scammers.

FakeBank (improved)

FakeBank itself is an innovative one, but the new variation is quite unique on its own. The malware acts just like any other banking Trojan with the new ability. Whenever a user tries to contact with the bank’s phone number, it redirects the call to a scammer’s number. The scammer can easily collect the user’s sensitive information without knowing.

Moreover, the scammer can also call the infected device. The Trojan will show it as a call from the bank, allowing crooks perform their illegal acts without raising any suspicion.

Active regions

Currently, the new FakeBank variation was spotted in South Korea, according to the report of Symantec researchers. Experts found the Trojan injected into 22 apps that are being distributed by 3^rd-party app stores. The links shared via social media are also infected. That’s why it’s the best to follow precautions before you get infected as well.

This indicates the weakest point of Android ecosystem – the app installation process. This is in the hand of the users to make sure that they are installing apps from trusted sources and what permissions they’re giving to these apps. The best practice is not to install apps from other sources and obtain them from Google Play Store only that provides a small scanning of all the apps.

Previously, we also saw such attacks that stole bank credentials from apps. Check out the infamous Man-in-the-Middle attack.

The post New Android Malware – FakeBank (improved) appeared first on Linux Windows and android Tutorials.